On January 1, 2023, the substantive provisions of the California Privacy Rights Act (CPRA) came into effect. In summary, the law states that many for profit organizations that operate in California will now have to adhere to more stringent requirements when it comes to their handling of private user data.
For the uninitiated: The CPRA is a state-wide data privacy bill that was passed into law on November 3, 2020, and became enforceable January 1, 2023.
The passing of the Act marked a significant milestone in the progress of U.S. privacy law, marking out California as leading the way when it comes to passing comprehensive state privacy laws.
In fact, to this day it remains only one of three U.S. states to do so, with Virginia and Colorado following their lead soon after.
Why the CPRA is Important
The CPRA further fundamentally underscores California’s standing as being at the very frontier of U.S. data privacy law by adding to and strengthening its existing legislation.
The Act came into full effect on January 1, 2023, with enforcement scheduled to kick off on July 1, 2023. It is important to note that the enforcement process will encompass a ‘‘lookback period” meaning that data collected as far back as January 1, 2022, will be liable for compliance regulation.
The CPRA is distinct from other states’ legislation in that it includes provisions requiring any amendments to the law are consistent with its purpose and intent, making it significantly more resistant to being watered down in the future regardless of industry pressures or the actions of special interest groups.
Let’s take a quick look at the scope of the new Act, as well as some of the notable changes it brings.
Understanding the Scope of California’s New Privacy Laws
CPRA regulations apply to organizations that control the personal data of 100,000 or more consumers per year, as well as businesses that handle or process the personal data of 25,000 or more consumers. In addition to this, the Act also applies to those who derive revenue or receive a discount on the price of goods and services from the sale of personal data.
It is important to note, however, that the Act, much like its more recent equivalents in Colorado and Virginia, does include exemptions for organizations that are already regulated under federal laws.
Perhaps most significantly, the CPRA creates a new category of personal information-called sensitive personal information (SPI).
SPI includes data on race and ethnicity, religious beliefs, political and philosophical convictions, data on sex life or sexual orientation, genetic and biometric data, health data, geolocation, social security number and driver’s license, and financial information.
Information that falls into any of these categories will now be treated as being SPI and regulated separately from ‘‘normal” personal information. Users will also enjoy expanded rights over how their SPI is used, including the right to have collected SPI disclosed, to opt-out of SPI use, and to give consent to use SPI if they have previously opted out.
The CPRA gives new scope and power to the California Privacy Protection Agency (CPPA) by effectively changing who must meet with its requirements, and in this sense can be seen as being an addendum to the California Consumer Privacy Act (CCPA) that exists to reinforce resident rights and strengthens regulations on the use of personal data.
The process to get where we are today has been lengthy and has involved the establishment of a new government agency, the CPPA, which has been established to exclusively regulate state-wide data privacy laws.
Enforcement and Compliance
Organizations covered by California’s privacy laws should take immediate steps to ensure they are meeting CCPA requirements. These steps will include, but are not limited to:
- Implementing cybersecurity safeguards.
- Creating a process to allow consumers to submit personal data requests.
- Creating a process for appealing personal data request decisions.
- Making it clear that website visitors have the right to opt out of targeted advertising and the sale of their personal data.
- Establishing a user-selected universal opt out mechanism.
- Updating your contracts with third parties to ensure compliance with the laws.
- Obtaining consent before collecting visitor data.
- Setting up a procedure to establish when a data protection assessment should be conducted.
By following all the above steps, you can rest assured that you are doing everything within your power to meet CCPA requirements and to deliver your visitors with the level of data protection they have come to expect and, quite frankly, deserve.
This Is Just the Beginning
At the time of writing California remains only one of three U.S. states to pass comprehensive data privacy legislation. With the introduction of the CPRA, its status as a frontrunner and trailblazer when it comes to the development of data privacy law in the U.S. is second to none.
In addition, the requirements introduced by the CPRA make the road ahead for other U.S. states clearer than it ever has been before. This is to say that it is simply a matter of time until more robust laws are passed to cover organizations that operate in every single U.S. state.
In other words, now is the time to check your website’s handling of personal information, wherever you are.
By staying ahead of the game when it comes to data privacy, you can provide huge benefits for both your staff and website visitors going into the future.